Cyber criminals are using coronavirus-themed voicemail notifications in the latest efforts to act on pandemic fears and steal credentials. The example below shows how they are doing it.
We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic.
The attachment uses a naming convention similar to that of a global carrier to impersonate an audio file: ATT30406.
The .htm file serves two purposes for the threat actor. First, it hides a link that otherwise might be quickly flagged by security teams as suspicious. Secondly, it supports the expectation that voicemails are usually received as attachments.
URL: hXXps://firebasestorage.googleapis[dot[com/v0/b/kkjdodosos.appspot.com/o/ind2.html?alt=media&token=75ebe031-afff-48b4-b69e-22a2e15b93a7#{redacted}@{redacted}(dot).com.
When the end user clicks the file, they are directed to a Microsoft Office 365 (O365) phishing page requiring login credentials.
Scammers are capitalizing on the coronavirus crisis through a variety of methods, and it is proving to be costly for Americans. A bogus audio file referencing the virus is just another channel threat actors are repurposing to effectively execute their campaigns.
For more intelligence on COVID-19 threats, see our ongoing coverage.
Additional Resources: